Jump to content

Recommended Posts

Posted

According to http://virusscan.jotti.org/ it bypasses all buy AntiVir. I have also tested with the latest version of norton.

I just got sick of AV's removing my netcat from my usbkey. I'd love to upload my patch, but exe files seem to be rejected. PM me if your interested, or if you have a place it can be uploaded for and then linked to.

<edit>

I have uploaded the file to rapidshare. Click Here

In short, I added a NOP in the sig for norton, and then encrypted the rest of the .text section with a VERY simple xor script to hide it from the rest. There are a few anti-virus programs that appear to use the .data section in their sig, still working on encrypting that without destroying the programs functionality.

</edit>

  • 4 weeks later...
Posted

Create a batch to rename the files with an unkown extension or remove .exe altogether. Than when you want to use the program have another batch that'll restore the extensions. Had to do this with Cain on my usb because McAfee would auto-remove it.

Posted
Create a batch to rename the files with an unkown extension or remove .exe altogether. Than when you want to use the program have another batch that'll restore the extensions. Had to do this with Cain on my usb because McAfee would auto-remove it.

I'm amazed that such a simple tweak works to prevent AV doing it's "thing". I was under the impression that AV looks at data within the file (as a signature), rather than simply the file extension.

Posted
Posted

It doesn't scan the contents of the file until you actually try to run it. The only other time where it would auto-remove based on content otherwise is if you got realtime scanning enabled on a half way decent security suite and are copying/moving the file to another disk/location.

Posted

I think you can add exceptions to drives and paths in AVG or basically any antivirus software. I remember having to do it when I used norton 2003, and then switched over to AVG I did the same thing for my hacktoolz dir.

  • 4 weeks later...
Posted
I think you can add exceptions to drives and paths in AVG or basically any antivirus software. I remember having to do it when I used norton 2003, and then switched over to AVG I did the same thing for my hacktoolz dir.

Thats great until you want to run your tools on another computer.

Posted
It doesn't scan the contents of the file until you actually try to run it. The only other time where it would auto-remove based on content otherwise is if you got realtime scanning enabled on a half way decent security suite and are copying/moving the file to another disk/location.

Most antiviruses with real time protection and even on demand scanners, scan by file extension. Basically if you make it a random extension that the AV has no clue about, it will not scan for it. I believe this is to speed up time on the AV's part. If you do an on demand scan of the specific file(even with the extension changed), it will most likely remove it.

Posted

Yes I know its not likely you could get away with it. Ok... here's a more solid example of what I mean:

I put netcat in an iso file to keep on my hard drive. Real-time scans don't do anything to it. Even if it does detect it during a manual/automatic scan, it can't remove it because its a disc image... unless it actually just considered the whole .iso a bad file.

Posted
Yes I know its not likely you could get away with it. Ok... here's a more solid example of what I mean:

I put netcat in an iso file to keep on my hard drive. Real-time scans don't do anything to it. Even if it does detect it during a manual/automatic scan, it can't remove it because its a disc image... unless it actually just considered the whole .iso a bad file.

your virii protection is shit then.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...